How to extend CA certficate

[zuku81]

Hi,
how coud I extend the validity period of main CA certificate?
I have created CA with too short valid period then issued form it many certificates, what should I do to maintain all issued certificates?
Or do I neet create new one CA and reissue all certs?

thanks for help me with that.

[ThioJoe]

Have you tried right clicking the Root CA in the Certificates tab, and selecting "Renewal"? I've not done it myself but I expect you'd also want to check "Keep serial number" in the menu that comes up.

[ARGYROU-MINAS]

You cannot extend a CA, or any certificate for that matter. By changing it's parameters (duration of validity), it is not the same certificate anymore and so cannot be extended.
But, even though this is unrelated to bugs/problems, I have a solution.
During certificate chain validation, the program doesn't check if the fingerprint of the CA matches as the Issuer. The check is permormed to see if the issued certificate has a signature that matches the CA's oublic key.

So, just create a CA root certificate with the same key. BUT, the validation procedure looks for a Root CA with either the same Subject that is called the Issuer of the issued certificate, or it checks whether the Authority Key Identifier of the issued certificate matches the Subject Key Identifier of the Issuer/Root CA.

To sum up, create a new certificate using the same public key and keep all the fields (well, tbh, mostly those I mentione above).
After that, you HAVE to just remove the previous ROOT CA certificate fromyou trust store, so nobody can find it and use it to validate a chain. Then you must PUT the new certificate as a Trusted CA. From then on, the previously issued certificates will chain up to your new CA certificate, since the public key matches the signature.

FOR CONFORMANCE, make sure that, in the new certificate, you set the NotBefore/Valid from to be the SAME VALUE as the one that was set on the old certificate. Don't put the as NotBefore/Valid from the date you actually generated the new CA certificate. Doing that, will make all previously issued certificates inconformant, since they have been isues before their signing CA was generated.

[chris2511]

So, just create a CA root certificate with the same key.

That's actually the point of the "renewal" option and it does exactly what you described.

The last paragraph is not correct. It is only necessary that all certificates in the chain are valid at the time of verification.
Just tried a renewed CA with different serial-number and later "valid from" date than the server certificate and Firefox did not complain.